This detection rule identifies the use of Windows Management Instrumentation Command-line (WMIC) for explicit credential usage, which is often the precursor to lateral movement by threat actors. The implementation leverages log events (Event Code 4688 for process creation and Event Code 4648 for explicit credentials) to determine if WMIC commands involving credentials are invoked. By analyzing these logs, defenders can uncover possible malicious activities by known threat actors such as Flax Typhoon and Volt Typhoon, associated with various ransomware strains including Clop and Quantum. The rule seeks to capture both direct invocations of WMIC to test credentials and instances where WMIC is executed alongside Event ID 4648, indicating that explicit credentials are used. The broader context includes techniques for persistence, privilege escalation, and remote system discovery, allowing for comprehensive situational awareness and proactive defense strategies.